For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Advanced WAF v16.0 - Declarative API

Since v15.1 (in draft), F5® BIG-IP® Advanced WAF™ can import Declarative WAF policy in JSON format. The F5® BIG-IP® Advanced Web Application Firewall (Advanced WAF) security policies can be deploy...
Published Jul 30, 2020
Version 1.0
api
application delivery
AS3
ASM Advanced WAF
declarative
SecOps
security
series-devcentral-basics
waf
Matt_Dierick's avatar
Icon for Employee rankEmployee
Security Solution Architect for F5 Networks since 2012. Focusing on Application Access and API Security. You can find more how-to on my YouTube channel : https://goo.gl/eErp51
View Profile
Matt_Dierick's avatar
Icon for Employee rankEmployee
Security Solution Architect for F5 Networks since 2012. Focusing on Application Access and API Security. You can find more how-to on my YouTube channel : https://goo.gl/eErp51
View Profile
Nikoolayy1's avatar
Nikoolayy1
Icon for MVP rankMVP
Feb 06, 2023

Thanks! Is there a way to push JSON file with F5 Ansible module like "bigip_asm_policy_import". I know that probably the URI Ansbile module will do the trick but I am looking for a native way to push the ASM policy and then use the new " bigip_as3_deploy" module (the new way to push AS3 Declarations and I made an article about it https://community.f5.com/t5/codeshare/comparison-between-deploying-as3-or-fast-iapp-declarations-with/ta-p/309613 ) to deploy the AS3 declaration that will reference the pushed policy.

 

I tried to replace "url": "http://10.1.20.4/root/as3-waf-api/-/raw/master/policy-api.json" with the ASM policy but if I do not want to host the ASM polcy on git then I see the option I mentioned as pushing the ASM policy to the F5 and then referencing it in the AS3.

 

Edit:

 

I think with the Ansible URI module I can script the file upload commands (the bigip_asm_policy_import seems to have issues so the URI module seems the better option for file upload and then making the asm policy from the file upload) as have for other stuff but still a native Ansible module that can also auto calculate the "Content-Range" header for file upload will really be helpfull but as you mentioned using the "Pull" could be an option.

 

Managed to make it work with the URI module, just for some reason the F5 thinks the files are the wrong falue and this seems like a bug.

 

"message": "Chunk byte count 402 in Content-Range header different from received buffer length 394",

 

└─# stat -c%s asm_policy.json
665

 

 

tasks:


- name: PUSH FILE WAF

uri:

url: "https://{{ ansible_host }}/mgmt/tm/asm/file-transfer/uploads/asm_policy.json"

method: POST

body: "{{ lookup('template','asm_policy.json', split_lines=False) }}"

status_code: 200

timeout: 300

body_format: json

force_basic_auth: yes

user: "{{ ansible_user }}"

password: "{{ ansible_httpapi_password }}"

validate_certs: no

headers:
Content-Range: 0-393/394
Content-Type: application/octet-stream

 

- name: PUSH WAF

uri:

url: "https://{{ ansible_host }}/mgmt/tm/asm/tasks/import-policy"

method: POST

body: "{{ lookup('template','asm_config.json', split_lines=False) }}"

status_code: 201

timeout: 300

body_format: json

force_basic_auth: yes

user: "{{ ansible_user }}"

password: "{{ ansible_httpapi_password }}"

validate_certs: no

headers:
Content-Type: application/javascript